olly - Fotolia
Business continuity vs. emergency management
There is overlap between business continuity and emergency management, but don't confuse the two. They are separate but equally critical disaster recovery practices.
Business continuity planning and emergency management focus on ensuring that an organization is prepared for adverse events. Even so, these critical practices each serve a different purpose.
Business continuity planning involves taking steps to prevent IT operations from being interrupted before a crisis takes place. Emergency management is more reactive. It involves taking immediate steps to protect the organization's property and employees during a disruption.
There tends to be quite a bit of overlap between business continuity planning and emergency management, leading to some organizations conflating the two when planning for a recovery. After all, business continuity planning involves planning what the organization will do when faced with a crisis, while emergency management is all about taking immediate steps to deal with a disruption that has just happened. However, both are distinct components of a disaster recovery strategy.
Crisis management is another related but separate practice, most often confused with emergency management. The two might seem synonymous at a glance, but crisis management differs in that it typically deals with minimizing an incident's impact both short term and long term. Often focused on public relations, crisis management typically involves minimizing reputational damage and any legal complications.
Together, business continuity and emergency management help keep an organization operating before, during and after a disaster. Learn more about the distinctions between the two and when crisis management comes into play.
Get started with business continuity
The best business continuity planning is proactive in nature. It involves creating a contingency plan that can help an organization keep mission-critical IT workloads running in times of crisis. IT outages in an enterprise environment can easily cost millions of dollars per hour, so larger organizations typically go to great lengths to make sure that an outage never happens.
Although the main goal behind business continuity planning is to keep key workloads online, the planning process itself tends to be quite broad in scope. While much of the planning process does center around ensuring the IT infrastructure's reliability, business continuity planning also considers backups, disaster recovery, and the roles and responsibilities of employees. A business continuity plan must also ensure that the necessary staff members are available during the crisis and have the resources that they need to keep workloads running.
Business continuity planning is usually an organization-wide effort, involving more than just the IT staff. At a minimum, an organization's management team will be involved in the business continuity planning process. Often though, the organization will also work with outside vendors as a way of making sure that it can acquire computer hardware, data center space or any other required resources in times of crisis.
Some examples of business continuity planning include planning for a data center outage or planning for a disaster such as a fire or hurricane. In both situations, an organization would likely need a plan for moving operations to the cloud or to an alternate data center until normal operations can resume.
Emergency management and business continuity
Emergency management focuses on an organization's immediate response to a crisis. There are four standard phases of emergency management that businesses follow: mitigation, preparedness, response and recovery. Exact processes vary widely depending on the type of disaster, but emergency management steps might include scenarios such as evacuating a building and contacting the authorities, or isolating systems that were impacted by a ransomware attack and restoring a backup.
In a perfect world, emergency management would be defined as enacting the protocols and procedures that have been documented within the organization's business continuity plan. However, emergency management might only loosely align with an organization's business continuity plan. There are two main reasons for this.
The first of these reasons is that every emergency is different, and it is impossible for an organization to anticipate and plan for every conceivable event. The business continuity plan can help provide general guidance and help anticipate common risks, but few can account for every possibility.
For example, a business continuity plan should outline the organization's response to a ransomware attack. However, there are many different types of ransomware, so the plan is not going to be able to provide the exact steps that the organization would need to follow during a ransomware attack. Instead, the plan would probably provide a high-level overview of the organization's ransomware response plan, and this plan might need to be adapted based on the circumstances.
A second reason why emergency response might not align perfectly with a business continuity plan is that some responses are purely instinctual. Similarly, the instructions contained within a business continuity plan might not be practical.
For example, an organization's business continuity plan might say that, in the event of a fire, the organization's safety officer is to contact the fire department. However, if a fire were to actually happen, employees are unlikely to waste time looking for the organization's safety officer so that this individual can contact the fire department. Instead, at least some of the employees would probably take the initiative to contact the fire department themselves.
What about crisis management?
Crisis management is different from business continuity planning and emergency response in that it deals primarily with the public relations and communications aspects of a disaster. Following a major disaster, an organization's crisis management team would likely manage business social media accounts, field questions from the press and begin coordinating with legal counsel to limit any losses related to litigation.
Like emergency response, crisis management protocols are typically addressed as a part of the business continuity planning process. However, while the business continuity plan might only be able to provide general guidance to those in emergency management roles, the crisis management team will likely be given detailed protocols and instructions as part of business continuity planning. The crisis management team's job is to limit legal and reputational damage. Naturally, the team's responses should be planned ahead of time, with assistance from the organization's legal team.
Without such preplanning, there is a significant risk that someone on the crisis management team could accidentally say or post something that exposes the organization to additional legal risk or that further harms the organization's reputation.
Brien Posey is a 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.
